👉 Overview
👀 What ?
Windows LAPS (Local Administrator Password Solution) is a security tool developed by Microsoft. It is designed to manage and randomize the local administrator passwords of domain-joined computers, to help mitigate the risk of a Pass the Hash (PtH) attack.
🧐 Why ?
LAPS is significant because it helps organizations enhance their security posture. In the absence of LAPS, organizations often end up using the same local administrator password across multiple systems. This is a risky practice as if a single system is compromised, it could potentially lead to the compromise of all systems using the same password. LAPS addresses this problem by ensuring that each system has a unique and frequently changed local administrator password.
⛏️ How ?
To implement LAPS, you first need to extend the Active Directory schema, install LAPS on the management computers, and set the permissions for the computers and users in Active Directory. After that, you can install the LAPS client-side extension on the target computers. Finally, use Group Policy to enable and configure LAPS.
⏳ When ?
The use of LAPS began gaining traction in the mid-2010s as organizations became more aware of the risks associated with shared local administrator passwords.
⚙️ Technical Explanations
In a nutshell, LAPS functions by extending the Active Directory schema to include two new attributes - ms-Mcs-AdmPwd (which stores the password in clear text) and ms-Mcs-AdmPwdExpirationTime (which stores the time for the next password reset). The LAPS client-side extension, which is installed on each managed system, is responsible for resetting the local administrator password and writing it back to the ms-Mcs-AdmPwd attribute in Active Directory. Only users and systems with the necessary permissions can read the password from this attribute. Moreover, LAPS ensures that all password changes and access to the password are audited and can be traced back to individual users.